Friday 10 December 2021

Microsoft Exchange Server - FIPS-FS Error 0x800706BE, 0x80010105

We started encountering this issue on our on-prem (Hybrid) exchange server all of a sudden which was preventing emails from being scanned by the anti malware module, and hence were being held in the submission queue and not being delivered.

You may see errors in the event log such as;

The FIP-FS Scan Process failed initialization. Error: 0x80010105. Error Details: The server threw an exception.

The FIP-FS Scan Process failed initialization. Error: 0x800706BE. Error Details: The remote procedure call failed.

Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: scanningprocess.exe

The usual server and service restarts did not fix the problem.

The issue appears to be related to updates not being installed correctly for the exchange anti malware scanning module.

You can check/confirm this by running these commands from Powershell;

Add-PsSnapin Microsoft.Forefront.Filtering.Management.Powershell

Get-EngineUpdateInformation

We got a response like below - note the "UpdateAttemptFailed" status








You can also check the update engine settings by running the command

get-engineupdatecommonsettings







Note the PrimaryUpdatePath - when we attempted to access this URL we were getting a 404 error - this is potentially what the problem is?




Update 4/1/22

I found the following article from the Exchange Team Blog that references this issue and provides a script to fix it


Before implementing the provided fix, I can ran the default script to Enable-AntimalwareScanning (located in C:\Program Files\Microsoft\Exchange Server\V15\Scripts) - mail delivery operated for a brief period of time before mails began queuing again.

I ran the script provided in the blogpost, and even after a full server restart, the problem still persists so I have disabled the antimalware scanning again

Fix/Solution/Workaround

Disable the anti-malware scanning option. This is easily done by running the included powershell script in your Exchange installation directory

C:\Program Files\Microsoft\Exchange Server\V15\Scripts\Disable-AntimalwareScanning.ps1

Run the script then restart the Microsoft Exchange Transport Service

Once we did this the submission queue immediately started clearing.

You can reverse the change easily by running the Enable-AntimalwareScanning.ps1 script in the same folder later on.


We've also found this recent MS article outlining steps to manually update the scan engines used by Exchange Server, but we found it still failed to update the signatures after running it

https://docs.microsoft.com/en-us/exchange/troubleshoot/setup/manually-update-scan-engines




Tuesday 16 November 2021

How to reclaim space from deleted files on windows server deduplication volume

Windows server has great deduplication functionality allowing for increased usable capacity on non-operating system volumes, by performing block level deduplication to increase storage efficiency. This is particularly useful for storing data such as backups, which often involves minimal changing data, so a prime candidate for effective deduplication.

The problem often encountered with deduplication volumes is that when files are deleted, the space is not immediately reclaimed by the operating system. A "garbage collection" process needs to be run in order for the deduplication engine to reclaim this space.

Thankfully, this is incredibly easy to do and can be done from a powershell command prompt - here's the command you need to run;

start-dedupjob -type GarbageCollection -full -path e: -FastStart $true

Be sure to change the -path variable from E: to whatever drive you wish to run the garbage collection on. Also note that depending on the size of your volume, the garbage collection can take some time to initiate and complete, even with using the -FastStart switch.

You can check the progress of your deduplication jobs by running the command

get-dedupjob

Tuesday 2 November 2021

Microsoft Exchange - 451 4.7.0 Temporary server error. Please try again later. PRX5 - FIX

I encountered this error on my on-premise/Hybrid exchange server today after noticing that internal mail relay was not working. When attempting to send a test email via telnet, I got the error 451 4.7.0 Temporary server error. Please try again later. PRX5

After rebooting the server, the error still persisted - so a quick bit of searching quickly lead to me adjusting the Exchange servers DNS settings.

From within Exchange Control Panel (ECP) - go to Servers (left hand menu) and double click your Exchange server to open it's properties



Select DNS Lookups from the left menu.

By default, the option for External and Internal DNS lookups is usually All network adapters (All available IPv4). I changed this to Microsoft Hyper-V Network Adapter and the problem was immediately resolved.

Friday 20 August 2021

Google Classroom - How to get a list of all classes/classrooms

You can use the GAM utility to easily export the details of all Google Classrooms in your domain by following the commands below. In this example we'll be exporting the details to a CSV file

(Be sure to update the path to gam.exe and the output CSV file location)

$allclasses = C:\admin\gam\gam.exe print courses > "C:\Admin\Google Classroom\allclasses.csv"

This works well, but if you look at your CSV file you'll notice that firstly, it isn't formatted into columns properly, and secondly, there are a heap of fields called "coursematerial" that aren't required. We can filter out those fields by using the command below

$allclassesfiltered = import-csv "C:\Admin\GoogleClassroom\allclasses.csv" | select-object * -ExcludeProperty "courseMaterial*"

We can then re-export the CSV file with the command below which will actually export it correctly as a CSV file with data separated into columns correctly

$allclassesfiltered | export-csv "C:\Admin\Google Classroom\allclasses-filtered.csv" -NoTypeInformation


Thursday 19 August 2021

GAM - How To Sync Google Classroom Students from CSV File

GAM is great command line utility that fills a huge void in the management of Google Classroom - since Google haven't bothered after all these years to create any kind of centralised management interface for the product despite a huge uptake in use from COVID-19 and remote learning.

One of the downfalls of GAM is it can be a little slow - if you wanted to add students individually to a class, the command to add each student takes several seconds to execute - which doesn't sound like much, but in a large school with lots of students and lots of classes - it could take hours to complete.

Thankfully, they have included the ability to synchronise members (students) of a class from a CSV file. What they don't mention in their documentation though is how the CSV file should be formatted - kind of important, right?

The CSV file should be formatted as a basic list - with a single column and no column headings - containing the email addresses of the students you wish to add. If you opened it in Notepad - it would look like the screenshot below

Example CSV file format to sync students to Google Classroom with GAM

One thing to note - if you are going to sync from a CSV file, it will add all the students in the CSV file to the classroom, but it will also remove any students already in the classroom who aren't listed in the CSV file, so it's important your CSV file contains all the students in the class.

The command to run the sync is below;

C:\admin\gam\gam.exe course "googlecourseid"  sync students file "C:\admin\GoogleClassroom\class1.csv"

(Be sure to update the path to your gam.exe file, the google course ID and the CSV file location)

Wednesday 18 August 2021

Microsoft Teams - Add Members from Active Directory Group to Team

Teams may often need to be populated with the members of an existing Active Directory security or distribution group. You can use the powershell commands below to easily do this.

Firstly, we need to get the members of our Active Directory group - and pipe the result to the get-aduser cmdlet so we can include the mail property as this is the identifying field we need to use to add users to Teams.

$grpmembers = Get-ADGroupMember -identity | Get-ADUser -properties mail

We will then enable connect to Microsoft Teams to enable the cmdlets, cycle through the list of members and add them to the team. Make sure you update the $teamgrpid to be the unique group ID for the team you wish to add the users to.

Connect-MicrosoftTeams

$teamgrpid = "123456"

foreach ($grpmember in $grpmembers)
    {
    Add-TeamUser -groupid $teamgrpid -user $($grpmember.mail) -role user
    }

You can change the role variable from user to member if you wish to add the users as members instead.


Tuesday 17 August 2021

Install Active Directory Powershell Module in Windows 10

For whatever reason, Microsoft has now changed the way the powershell module for Active Directory Domain Services and Lightweight Directory Services tools.

Most documentation suggests you install this from the "Turn Windows features on or off" menu located under Programs and Features within Control Panel - but in later Windows 10 releases, the feature is no longer available. It was previously called "Role Administration Tools".

Role Administration Tools is no longer visible under Turn Windows Features on or off

Likewise, the previously used powershell command is no longer recognised

Enable-WindowsOptionalFeature -Online -FeatureName RSATClient-Roles-AD-Powershell

You now get an error when running this command

Enable-WindowsOptionalFeature : Feature name RSATClient-Roles-AD-Powershell is unknown.

So, how do you do it? Follow the steps below
  1. Click the Start button then select Settings
  2. Select Apps
  3. Select Optional Features
  4. Click Add a Feature
  5. Search for "RSAT" and select the option for RSAT: Active Directory Domain Services and Lightweight Directory Services Tools



    Select the option for RSAT: Active Directory Domain Services and Lightweight Directory Services

  6. Click Install
If you get an error saying the install failed, make sure you aren't using a WSUS server as windows will try and install it from there by default if you are.

To check, open regedit and go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU and set the UseWUServer key to 0


Monday 16 August 2021

Microsoft Teams - Assign Teams Policies to Users with Powershell

Policies can be created within Microsoft Teams to manage permissions and restrictions on sets of users. In a school environment for example, you may wish to prevent the ability of students to call other users directly, but allow it for staff.

There are four (4) different types of policies that can be configured/applied to users in Teams;

  1. Calling Policies
  2. Meeting Policies
  3. Channels Policies
  4. Messaging Policies
The policies can be created/configured within the Teams web admin interface.

Calling Policies are configured under Voice > Calling Policies
Meeting Policies are configured under Meetings > Meeting Policies
Channels Policies are configured under Teams > Teams Policies
Messaging Policies are configured under Messaging Policies

Once they're created and configured, they can be applied to users via powershell which can be quicker than doing it manually via the web admin interface - especially if you need to apply it to a large batch of users.

The cmdlet we'll be using for this is New-CsBatchPolicyAssignmentOperation

Be sure to update the PolicyName and Identity arguments to match your policy and user

Apply Teams Calling Policy to Users

New-CSBatchPolicyAssignmentOperation -PolicyType TeamsCallingPolicy -PolicyName "Name" -identity "user@domain.com"

Apply Teams Meeting Policy to Users

New-CSBatchPolicyAssignmentOperation -PolicyType TeamsMeetingPolicy -PolicyName "Name" -identity "user@domain.com"

Apply Teams Channel Policy to Users

New-CSBatchPolicyAssignmentOperation -PolicyType TeamsChannelsPolicy -PolicyName "Name" -identity "user@domain.com"

Apply teams Messaging Policy to Users

New-CSBatchPolicyAssignmentOperation -PolicyType TeamsMessagingPolicy -PolicyName "Name" -identity "user@domain.com"

Checking

You can then check what policies are applied to a user by using the cmdlet below

Get-CsUserPolicyAssignment -identity "user@domain.com" 

This command will return a table displaying all the different policies that are applied to the user specified

Friday 13 August 2021

Microsoft Teams - Add Additional Team Owner using Powershell

When a user is added to a Microsoft Team, they are added as either a "member" or an "owner". Adding them as an "owner" gives them additional privileges/rights within the team - such as being able to add other members, delete chat messages etc.

If you add a user to a team using the "add-teamuser" powershell cmdlet, it will by default add them as a member. You can use a switch within the command to add them as an owner instead.

Here's an example;

add-teamuser -groupid "abc123" -user "user@domain.com" -role owner

As you can see, the "-role owner" switch is what adds them as an owner to the team, instead of adding them as a member.

If the "-role" switch isn't specified, the user will be added as a member by default. You can alternatively include the "-role" switch and specify "member" as well - like the example below

add-teamuser -groupid "abc123" -user "user@domain.com" -role member

This could be useful if you're using some kind of loop and want to add some users as members and some as owners and have the owner/member specified in a variable.

Thursday 12 August 2021

Microsoft Teams - Copy Users Team Memberships to Another User

Microsoft Teams doesn't have any easy facility to export all the teams a particular user is a member of which can be useful if you want to copy the team memberships from one user to another.

Thankfully there is a way to do it though - since Microsoft Teams are actually O365 groups behind the scenes, we can utilise some O365 powershell cmdlet magic to accomplish this.

First, we need to connect to our O365 environment then import the session so we can access the cmdlets

$ex = New-PSSession -ConfigurationName Microsoft.Exchange -Credential user@domain.com -ConnectionUri https://outlook.office365.com/powershell -Authentication basic -AllowRedirection

import-pssession $ex

Next, let's get a list of all groups of the user we want to copy from - ie. the source user (be sure to adjust the source user variable to use your own target users email address)

$sourceuser = "user1@domain.com"

$Office365GroupsMember = Get-UnifiedGroup | where { (Get-UnifiedGroupLinks $_.Alias -LinkType Members | foreach {$_.primarysmtpaddress}) -contains $sourceuser}


You can then look at the $Office365GroupsMember variable to see a list of all the O365 groups that the source user is a member of

If you have a mixture of O365 groups AND MSTeams and want to isolate the MS Teams - you can filter the results further by using the command beloww

$o365teamsgroups = $office365GroupsMember | where {$_.serviceendpointuris -like "*MicrosoftTeams*"}

Now that we have our list of Teams, we can go through the list and add our target user to each team. But to do this we need the unique Group ID for each team which is included in the script below. Be sure to update the $targetuser variable with the email address of the user you wish to add to the groups.

Connect-MicrosoftTeams
$targetuser = "user2@domain.com"

foreach ($o365team in $o365teamgroups)
    {
    $teamprops = get-team -displayname $($o365team.displayname)
    write-host "Adding $targetuser to $($teamprops.displayname) team"
    add-teamuser -groupid $($teamprops) -user $targetuser
    }

Wednesday 11 August 2021

Microsoft Teams - How to Archive Teams using Powershell

Microsoft Teams has a great feature that allows users (and administrators) to archive teams instead of deleting them when they are no longer required. This can be convenient as archived teams are no longer visible to users, but can easily be re-activated (or unarchived) if they, or their contents are required in the future - which isn't possible if you delete a team.

To archive a team, use the command below

Connect-MicrosoftTeams

Set-TeamArchivedState -groupid "teamgroupidnumber123" -Archived:$true

Be sure to update the groupid with the unique groupid for the team you wish to archive. If you don't know what the groupid is, run the cmdlet below

Get-Team -displayname "Team Name"

The GroupID will be displayed in the matching results

After the team is archived you can still view it through the Teams Admin Console

Tuesday 10 August 2021

Microsoft Teams - Get Team ID/Group ID using Powershell

Many Microsoft Teams commands for powershell require you to specify the group id for a team so the script knows which one of your teams you wish to work on. The Group ID/Team ID is a unique string of letters and numbers which is why it's commonly used to ensure only one team would ever be targeted by a command.

Use the command(s) below to get the group id for one, or all of your teams.

Connect-MicrosoftTeams

get-team -displayname "Test Class"

You should get a response with the GroupID shown like in the example below;


Simple, right? What if I wanted to get the properties for all of my teams? Try the command below

get-team

You can even store the groupid in a variable so it's easier to reference in subsequent commands. In this example, we'll store the properties in the $teamprops variable;

$teamprops = get-team -displayname "Test Class"

You can then use the $teamprops.groupid property in another command - for example;

add-teamuser -groupid $teamprops.groupid -user "user@domain.com"

Monday 9 August 2021

Microsoft Teams - Add Members to Private Channel using Powershell

If you have a large number of members you need to add to a private channel in teams, you may wish to use powershell to do so as it can be much faster than manually adding users via the Teams app, or web management interface.

Note that you will need to install the preview/prerelease version of the Microsoft Teams powershell module to get access to the cmdlet that we're using here (refer to my separate blog post on how to do this)

Add-TeamChannelUser -GroupID "abc123456789" -Displayname "privatechannelname" -user "user@domain.com"

Be sure to update the Group ID with the unique Group ID of your target team - and the displayname should match the displayname of the private channel you wish to add the user to.

Note that adding users via this cmdlet can cause them to not show in the actual team for some time (in my experience 15-30 mins) so you may need to allow some time before checking/confirming they appear in the channel user list

Sunday 8 August 2021

Microsoft Teams - Install Preview/Prerelease Powershell Module

Microsoft Teams has a preview/prerelease version of their powershell module available which has some commands that aren't contained in the general/public release.

If you wish to install the prerelease module, you can use the command below to do so

Install-Module -Name MicrosoftTeams -AllowPrerelease -force

You may need to restart your powershell session and import the module again to get the required cmdlets.

If you get an error saying the 'allowprerelease' argument isn't recognized, then run the below commands ot update the PackageManagement and PowershellGet modules

Install-Module -Name PackageManagement -Repository PSGallery -Force
Install-Module -Name PowerShellGet -Repository PSGallery -Force

Restart your powershell session then run the install-module command again and it should complete successfully.

Saturday 7 August 2021

Powershell - a parameter cannot be found that matches parameter name 'AllowPrerelease'

Sometimes when installing powershell modules, you may wish to utilise pre-release or preview versions of packages. Depending on what version of powershell you have installed, you may get an error message like the one below when attempting to install preview/prerelease packages;

Install-Module : A parameter cannot be found that matches parameter name 'AllowPrerelease'.

At line:1 char:37

To fix the problem you need to force an update of a couple of Powershell modules - namely PowershellGet and PackageManagement. 

Run the commands below from an elevated powershell command prompt;

Install-Module -Name PowerShellGet -Repository PSGallery -Force
Install-Module -Name PackageManagement -Repository PSGallery -Force

Exit/close your Powershell window/session then re-open and run the install-module command again - it should now complete successfully

Friday 6 August 2021

Microsoft Teams - teamchanneluser cmdlet is not recognized

Microsoft Teams features some commands (cmdlets) that are not readily available in the public/general release version of the Microsoft Teams powershell module. Some of these commands are;

get-teamchanneluser

add-teamchanneluser

If you attempt to run these commands, you'll get an error message like the one below;

get-teamchanneluser : The term 'get-teamchanneluser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

At line:1 char:1

To fix the problem you will need to install the preview release of the Microsoft Teams powershell module. You can check the release version numbers from the website below

https://www.powershellgallery.com/packages/MicrosoftTeams/2.0.0

To install the preview release version, make note of the version number then run the command below

Install-Module -Name MicrosoftTeams -AllowPrerelease

To fix the problem you need to force an update of a couple of Powershell modules - namely PowershellGet and PackageManagement. 

Install-Module : A parameter cannot be found that matches parameter name 'AllowPrerelease'.

At line:1 char:37

Run the commands below from an elevanted powershell command prompt;

Install-Module -Name PowerShellGet -Repository PSGallery -Force
Install-Module -Name PackageManagement -Repository PSGallery -Force

Exit/close your Powershell window/session then re-open and run the install-module command again - it should now complete successfully

You can confirm what version is installed by running the commands

import-module "MicrosoftTeams"

get-module

Look for the version number for the "MicrosoftTeams" module

Thursday 5 August 2021

Microsoft Teams - The term is not recognized as the name of a cmdlet..

If you get an error message like the one below when attempting to issue commands like "connect-microsoftteams" - it's because you haven't got the MS Teams cmdlets installed

Connect-MicrosoftTeams : The term 'Connect-MicrosoftTeams' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

At line:1 char:1

To install the Microsoft Teams Powershell cmdlets, enter the command below. Make sure you run this from an elevated/administrator powershell prompt

install-module -name MicrosoftTeams -force

If you don't run it as administrator, you'll get a message like this;

install-module : Administrator rights are required to install modules in 'C:\Program Files\WindowsPowerShell\Modules'. Log on to the computer with an account that has Administrator rights, and then try again, or install 

'C:\Users\username\Documents\WindowsPowerShell\Modules' by adding "-Scope CurrentUser" to your command. You can also try running the Windows PowerShell session with elevated rights (Run as Administrator).

The installation may take a minute or two to complete, you can confirm the module has been installed by running the following command

import-module "MicrosofTeams"

Then run the command

get-module

A list of available modules will be displayed which should include MicrosoftTeams like the screenshot below

get-module command output showing MicrosoftTeams module available


Wednesday 4 August 2021

Microsoft Teams - Powershell Administration Commands

 Microsoft Teams has a powershell module available that allows you to perform just about all Teams management tasks using a script. This is very convenient for bulk operations, like creating lots of teams and keeping team memberships up to date - especially since the Teams web admin interface can be quite slow and cumbersome.

Here's a quick guide on some of the most common commands and uses

Install Microsoft Teams Powershell Module

Use the command below to install the Microsoft Teams powershell cmdlets

install-module -name MicrosoftTeams -force

Create a Team

I like to create new teams by using a variable ($newteam) - this makes additional tasks easier since you can reference the unique group ID for the new team directly from the $newteam variable.

$newteam = new-team -displayname "Test Team" -mailnickname "Test-Team" -owner "user@domain.com"

Update the properties for the display name, mailnickname (can't have spaces) and the team owner

Add a User/Member to a Team

If you've created the team like I have above and used a variable like $newteam, you can then use the properties for this variable for other tasks like this

add-teamuser -groupid $newteam.groupid -user "user@domain.com"

Add an additional Owner to a Team

add-teamuser -groupid $newteam.groupid -user "user@domain.com" -role owner

Remove User/Member from a Team

remove-teamuser -groupid $newteam.groupid -user "user@domain.com"


Thursday 27 May 2021

Searching for String within Multiple Files using Powershell

 I recently had a situation where I had to search for a particular string within a large number of files. More specifically, I was looking for what file contained a set of  text used for a menu on a website - the problem is I didn't know which file contained the text, but I knew what I was looking for. The web server had a large number of xml, html and css files, so I quickly put together a powershell script to search these files quickly and was able to find what I was looking for within a matter of minutes! Certainly faster than manually opening files and performing a CTRL + F find within them.

$files = get-childitem -path "C:\inetpub\wwwroot\*.css" -recurse
foreach ($file in $files)
    {
    $filecontent = get-content $($file.fullname)
    $lookup = $filecontent | select-string "What I'm Looking For"
    if ($lookup)
    {write-host "$($file.fullname)"}
    }

The first line searches the folder C:\inetpub\wwwroot for any file ending in .css.  The -recurse switch means it searches all subfolders within C:\inetpub\wwwroot as well. You can of course change the search directory and file type being searched for

$files = get-childitem -path "C:\inetpub\wwwroot\*.css" -recurse

The next section is a ForEach loop that goes through every file that is found within $files (as outlined above). The content of the file is read into the $filecontent variable

$filecontent = get-content $($file.fullname)

Next we perform a search of all the text within the $filecontent variable for a particular string of text. In this example the text we're looking for is "What I'm Looking For" - change this to whatever string of text you are trying to find tin these files. The result of the search is stored in the $lookup variable. If no match is found then $lookup will be null.

$lookup = $filecontent | select-string "What I'm Looking For"

Finally, if a result is found and the $lookup variable is not null, the full name of the file is written to the screen

if ($lookup)
    {write-host "$($file.fullname)"}

This little script saved me a heap of time - as built in windows search functions are pretty unreliable and don't search for content within files. Hope it is able to help you as well.

Tuesday 11 May 2021

Managing Google Classroom with GAM and Powershell

Part of my job requires me to actively manage our instance of Google Classroom - the adding/removal of teachers, students, changing of class owners are just a couple of the every day tasks that are required. Unfortunately, Google Classroom doesn't have an included management interface for doing this - but there is a great command line utility called "GAM" which I use to accomplish these tasks.

I looked at a few different management utilities to do this - and essentially left GAM until last as I was really after a reliable (and free) utility that had a graphical user interface (GUI) instead of command line, but unfortunately at the time I was looking there was nothing that met these requirements (and worked) for me.

GAM can be downloaded from here - they have an excellent Wiki section with detailed instructions on how to get GAM setup and running within your environment.

In subsequent blog posts I'll be covering some of the scripts/commands that I use to manage and bring some control over Google Classroom such as identifying active classes, exporting them to CSV, archiving (disabling) old classes that are no longer required, synchronising members (teachers and students) and managing/maintaining the owners of Classrooms.

I'll be executing GAM commands from within powershell to do this.

What tool do you use for managing Google Classroom? Do you wish Google would create some kind of web/graphical user interface to do this?


Monday 10 May 2021

Automatically Disable Expired Accounts in Active Directory with Powershell

Active Directory has the ability to set an expiration date on accounts so that the account becomes inactive and can't be accessed/logged into once this date has passed. The problem with the way this works, is that technically the account is still "enabled" - as it's not actually "disabled" - it's simply expired. Disabled accounts are easily identified within Active Directory Users & Computers  by a slightly different icon next to the account name. Expired accounts however, do not have any visual indication that they are expired, making them harder to identify.

I have created a powershell script which I run on a daily basis to automatically identify, and then disable any Active Directory accounts that have expired.

$report = @()
$expiredusers = get-aduser -Filter * -Properties AccountExpirationDate | where {$_.AccountExpirationDate -lt (get-date) -and $_.AccountExpirationDate -ne $null -and $_.enabled -eq $true}

if ($expiredusers)
    {
    set-aduser -identity $($user.samaccountname) -enabled $false -description $newdesc
    $report += new-object psobject -property @{Username=$($user.userprincipalname);AccountExpirationDate=$($user.accountexpirationdate);DN=$($user.distinguishedname)}
    }
The $report = @() line creates a new/blank array that we will use later on to store the results of any expired 

Next we perform a search using the get-aduser cmdlet to search all Active Directory accounts for those with an expiration date prior (less than) the current date and whose current account status is Enabled

An If statement is then run if any expired accounts are found which disables the account, and adds the account into the $report variable/array we declared earlier.

You can then export the $report variable to a CSV file, email it to yourself etc.

Friday 7 May 2021

Connect to Office365/O365 using Powershell

A quick an easy post with details on how to connect your Office 365 (O365) environment to allow management with powershell cmdlets

Make sure you change the value next to -Credential from username@domain.com to the username you need to use to connect

$ex = New-PSSession -ConfigurationName Microsoft.Exchange -Credential username@domain.com -ConnectionUri https://outlook.office365.com/powershell -Authentication basic -AllowRedirection

import-pssession $ex

After executing this command, a popup window will appear for you to enter your password into



You will then receive a couple of warning messages to indicate that your session has been redirected to a slightly different URL, and another about some of the imported commands. These can be safely ignored

WARNING: Your connection has been redirected to the following URI: "https://outlook.office365.com/PowerShell-LiveID?PSVersion=5.1.17763.1852 "
WARNING: The names of some imported commands from the module 'tmp_4kculvlx.2wc' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a
 list of approved verbs, type Get-Verb.

You can then proceed to manage your Office 365 environment with the standard powershell commands - get-mailbox etc.


Thursday 6 May 2021

Monitoring Hyper-V to Azure Site Replication with Powershell

Here is a simple script that I use to monitor the replication state of Hyper-V servers that I have replicated to Azure using Site Replication.

I have this script run every morning as a scheduled task which sends me an email with a nicely formatted table showing the replication status of all of my Hyper-V VM's to Azure

I have 4 Hyper-V nodes in a cluster - I have specified the 4 node names individually and used a ForEach loop to cycle through them all the generate the report. You can remove the loop if you're only using this for a single server/host.

(You will need to have the Hyper-V powershell module/cmdlets installed for this to work)

import-module Hyper-V -RequiredVersion 1.1
$repstate = @()
$date = get-date -f "dd-MM-yyyy"
$clusternodes = "node1", "node2", "node3", "node4"

foreach ($node in $clusternodes)
    {
    $repstate += get-vmreplication -computername $node | select Name, State, Health, Mode, FrequencySec, PrimaryServer, ReplicaServer, PrimaryServerName, LastReplicationTime
    }

You can then export the values from the $repstate variable to a CSV file and attach it, or as I have done, convert it to HTML and set it to the body of an email message

$mailmessage.Body = $repstate | ConvertTo-HTML -fragment



Wednesday 5 May 2021

Storing and Using Encrypted Passwords with Powershell

There are lots of reasons why a username and password may be incorporated into a Powershell script - naturally, the quickest and easiest way to do this is to simply store the username and password in a script using a couple of variables such as;

$username = "user1"
$password = "password1"

Simple, and it works, but is definitely not secure.

There is a simple method you can use though to encrypt the password using powershell and store it as a text file on your computer. The password is encrypted using the currently logged in windows account that is running the powershell script (when you encrypt it) so keep this in mind if you are trying to decrypt the password with a different user account (because it won't work).

This is of course a 2 step process. The first step is to take your unsecured password (yourpassword) then encrypt it, and store the encrypted text value into a txt file (in C:\temp\user1-secpw.txt)

#Store Secure Credentials 
$unsecpw = "yourpassword"
$secpw = $unsecpw | convertto-securestring -asplaintext -force
$securestringtext = $secpw | convertfrom-securestring
set-content "C:\temp\user1-secpw.txt" $securestringtext

Once you've done this part and you have your password stored in the txt file, you should at the very least clear the value from the $unsecpw if you are saving this script - otherwise you're essentially defeating the purpose of encrypting it in the first place.

The second part is of course the process of importing the txt file into a new script so you can use the password. As previously mentioned, you will only be able to decrypt the password if you are executing the decryption commands under the same user security context (ie. windows user) as when you encrypted it.

$pwd = get-content "C:\temp\user1-secpw.txt" | convertto-securestring
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pwd)
$Unsecpw = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

Your password is now available to use via the $unsecpw variable

Tuesday 4 May 2021

Reading Emails from O365 Mailbox with Powershell

Here is a script you can use to connect to an Office 365 (O365) mailbox to read/parse email messages. After the message has been read it is then moved to a specific folder within the mailbox. The full script is included first, and I will then break it down section by section afterwards

#Enable Exchange/O365 cmdlets
add-pssnapin *exchange* -erroraction SilentlyContinue
Import-Module MSOnline -ErrorAction SilentlyContinue

#Credentials
$email = email@domain.com
$password = "password"
$emaildomain = domain.com

#Connect to Mailbox
[void][Reflection.Assembly]::LoadFile("C:\Program Files\Microsoft\Exchange\Web Services\2.2\Microsoft.Exchange.WebServices.dll")
$s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1)
$s.Credentials = New-Object Net.NetworkCredential($email, $password, $emaildomain)
$s.Url = new-object Uri("https://outlook.office365.com/EWS/Exchange.asmx");
$inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)

#Setup folder and folder view (to move completed messages to)
$fv = new-object Microsoft.Exchange.WebServices.Data.FolderView(30)
$fv.Traversal = "Deep"
$folders = $s.findFolders([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::MsgFolderRoot,$fv)
$processedfolder = $folders | where {$_.displayname -eq "ProcessedEmails"}

#Get unread messages
$msgs = $null
$iv = new-object Microsoft.Exchange.WebServices.Data.ItemView(50)
$inboxfilter = new-object Microsoft.Exchange.WebServices.Data.SearchFilter+SearchFilterCollection([Microsoft.Exchange.WebServices.Data.LogicalOperator]::And)
$ifisread = new-object Microsoft.Exchange.WebServices.Data.SearchFilter+IsEqualTo([Microsoft.Exchange.WebServices.Data.EmailMessageSchema]::IsRead,$false)
$inboxfilter.add($ifisread)
$msgs = $s.FindItems($inbox.Id, $inboxfilter, $iv)

#If unread message(s) found, do stuff
if ($msgs.totalcount -ne 0)
    {
    $psPropertySet = new-object Microsoft.Exchange.WebServices.Data.PropertySet([Microsoft.Exchange.WebServices.Data.BasePropertySet]::FirstClassProperties)
    $psPropertySet.RequestedBodyType = [Microsoft.Exchange.WebServices.Data.BodyType]::Text;
    $s.LoadPropertiesForItems($msgs,$psPropertySet)
    $msgs = $msgs.items
    }

#Move Message to Processed Folder
$msg.Move($processedfolder.Id)


The #Enable Exchange/O365 Cmdlets section as the comment suggests is to enable the Microsoft Exchange & Office 365 cmdlets

add-pssnapin *exchange* -erroraction SilentlyContinue
Import-Module MSOnline -ErrorAction SilentlyContinue

The #Credentials section is where you enter the details (username, password and email domain) used to connect to the mailbox

#Credentials
$email = email@domain.com
$password = "password"
$emaildomain = domain.com

Next, we will connect to the mailbox (and look at the Inbox folder specifically), using the credentials specified above and Microsoft Exchange Web Services. If you don't already have the Exchange Web Services files installed you will need to install them

#Connect to Mailbox
[void][Reflection.Assembly]::LoadFile("C:\Program Files\Microsoft\Exchange\Web Services\2.2\Microsoft.Exchange.WebServices.dll")
$s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1)
$s.Credentials = New-Object Net.NetworkCredential($email, $password, $emaildomain)
$s.Url = new-object Uri("https://outlook.office365.com/EWS/Exchange.asmx");
$inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)

Now, a folder view is setup to obtain the list of all the folders in the mailbox. All the list of available folders are stored in the $folders variable. We then look for a folder called "ProcessedTickets" and set this folder to be the $processedfolder variable. We use this variable (folder) later on to move processed emails into. You can of course change this folder name to be anything you like.

#Setup folder and folder view (to move completed messages to)
$fv = new-object Microsoft.Exchange.WebServices.Data.FolderView(30)
$fv.Traversal = "Deep"
$folders = $s.findFolders([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::MsgFolderRoot,$fv)
$processedfolder = $folders | where {$_.displayname -eq "ProcessedEmails"}

Now we will retrieve any unread messages within the mailbox - filters are set using the $inboxfilter and $ifisread variables. All messages matching the search criteria are stored in the $msgs variable

#Get unread messages
$msgs = $null
$iv = new-object Microsoft.Exchange.WebServices.Data.ItemView(50)
$inboxfilter = new-object
Microsoft.Exchange.WebServices.Data.SearchFilter+SearchFilterCollection([Microsoft.Exchange.WebServices.Data.LogicalOperator]::And)
$ifisread = new-object Microsoft.Exchange.WebServices.Data.SearchFilter+IsEqualTo([Microsoft.Exchange.WebServices.Data.EmailMessageSchema]::IsRead,$false)
$inboxfilter.add($ifisread)
$msgs = $s.FindItems($inbox.Id, $inboxfilter, $iv)

If messages are found in the $msgs variable, the properties for those messages are then loaded back into the $msgs variable

#If unread message(s) found, do stuff
if ($msgs.totalcount -ne 0)
    {
    $psPropertySet = new-object Microsoft.Exchange.WebServices.Data.PropertySet([Microsoft.Exchange.WebServices.Data.BasePropertySet]::FirstClassProperties)
    $psPropertySet.RequestedBodyType = [Microsoft.Exchange.WebServices.Data.BodyType]::Text;
    $s.LoadPropertiesForItems($msgs,$psPropertySet)
    $msgs = $msgs.items
    }

If you look at the $msgs variable at this point, it should contain the properties of all mail messages found in the inbox that are unread. You can then use a foreach loop to cycle through each message and action accordingly.

Properties such as subject, body text, from address are all available and can be used to further filter entries

Once you've actioned the email and done what you need, you can then move the email into the processedfolders folder we previously specified

#Move Message to Processed Folder
$msg.Move($processedfolder.Id)


Monday 3 May 2021

Write XML Files with Powershell - The Easy Way

 I needed to create a custom XML file using powershell as part of a script I was developing. I found it difficult to understand and use the in-built XML functionality with powershell so I attempted to simply use write-output commands to write the XML file. It worked - mostly, but the application I was submitting the XML file wasn't recognizing it. As it turns out there's some hidden properties within a properly formed XML file which requires a little trick to get right when forming it this way - so here's how I did it..

            $xmlfile = "C:\temp\test.xml"
            write-output '<?xml version="1.0"?>' | out-file "$xmlfile"
            write-output '<test>' | out-file "$xmlfile" -append
            write-output "  <version>1.0</version>" | out-file "$xmlfile" -append
            write-output '</test>' | out-file "$xmlfile" -append

            $xml = [xml](Get-Content $xmlfile)
            $xml.Save($xmlfile)

The first part of the script is fairly straightforward - declare the path to your XML file in the $xmlfile variable.

Then, use write-output commands to enter the text data into your XML file - make sure you include the -append argument after the first line to ensure the lines are appended onto the end of the file - you can open the file in a text editor such as NotePad++ to make sure it appears as you expect. Make sure you close off all your tags so that formatting is valid.

The last 2 lines is the trick I previously mentioned - use the [xml] class with get-content to import the XML file into the $xml variable. Once the data is in the $xml variable, it is then re-saved - these 2 lines are what puts the hidden formatting into the XML file to make it valid.


Friday 30 April 2021

Export DHCP Scope Properties with Powershell

Export DHCP Scope Properties with Powershell

Use this script to export DHCP scope properties (to a .csv file) with Windows Powershell

To view all available DHCP scope ID's, use the command (run it from the local DHCP server)

Get-DhcpServerv4Scope

Set the output file using the $outfile variable

$outfile = "C:\path\outputfile.csv"

You can then add the scopes you wish to include to the $dhcpscopeids list

$dhcpscopeids = "10.0.0.0", "10.1.0.0", "10.2.0.0" 

Cycle through each scope, retrieve the properties into the $scopeprops variable, then export the details to the $outfile CSV file. In this example, all DHCP scope properties are exported (appended) to a single file

foreach ($dhcpscope in $dhcpscopeids)
    {
    $scopeprops = Get-DhcpServerv4Scope -computername localhost -scopeid $dhcpscope
    $leases = Get-DhcpServerv4Lease -computername localhost -allleases -scopeid ($scopeprops.scopeid)
    $leases | export-csv "$outfile" -NoTypeInformation -append
    }